PatchSiren

PatchSiren cyber security CVE debrief

CVE-2016-5782 Locusenergy CVE debrief

CVE-2016-5782 describes an input-validation flaw in the PHP script used by Locus Energy LGate meters to manage meter parameters, voltage monitoring, and network configuration. The CVE record rates the issue HIGH with CVSS 8.6 and a network attack vector with no privileges or user interaction required. The NVD entry maps the problem to CWE-20 (Improper Input Validation) and lists affected LGate firmware plus the LGate 50, 100, 101, 120, and 320 product families in the CVE description.

Vendor
Locusenergy
Product
CVE-2016-5782
CVSS
HIGH 8.6
CISA KEV
Not listed in stored evidence
Original CVE published
2017-02-13
Original CVE updated
2026-05-13
Advisory published
2017-02-13
Advisory updated
2026-05-13

Who should care

Operators and administrators of Locus Energy LGate deployments, especially anyone using the web interface or remote management functions for meter configuration or network settings. Industrial, energy-monitoring, and facilities teams should prioritize this if the devices are reachable on trusted or untrusted networks.

Technical summary

The vulnerable component is a PHP script handling POST requests for energy meter parameters and related configuration. The issue is that submitted POST data is not properly validated before use, which is consistent with CWE-20. According to the CVSS vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L), the flaw is remotely reachable, requires no authentication, and can affect confidentiality, integrity, and availability.

Defensive priority

High. The combination of remote reachability, no required privileges, no user interaction, and high confidentiality impact makes this a strong patch and exposure-management priority for any exposed LGate instance.

Recommended defensive actions

  • Identify all Locus Energy LGate devices and firmware versions in your environment, including any systems tied to the affected LGate families named in the CVE description.
  • Restrict network access to LGate management interfaces to trusted administrative networks only.
  • Review vendor and ICS-CERT guidance for this CVE and apply the recommended firmware or mitigation steps referenced in the advisory.
  • Monitor for unauthorized configuration changes or unexpected POST activity against the device management interface.
  • If remediation cannot be applied immediately, place compensating controls around segmentation, access control, and service exposure until the device is updated.

Evidence notes

Supported by the CVE description stating that the PHP code does not properly validate information sent in the POST request. NVD classifies the weakness as CWE-20 and assigns CVSS 3.0 vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L. The record references US-CERT/ICS-CERT advisory ICSA-16-231-01-0 and SecurityFocus BID entries 94698 and 94782. The CVE description names affected LGate prior-to-1.05H and LGate 50/100/101/120/320 products, while the NVD CPE data marks lgate_firmware as vulnerable.

Official resources

The CVE was published on 2017-02-13T21:59:00.190Z and the NVD record was last modified on 2026-05-13T00:24:29.033Z. Timing in this debrief follows the CVE publication date provided in the source corpus.